Barts Health NHS confirms data breach after Oracle zero-day exploited

The Barts Health NHS Trust has disclosed that a sophisticated hack resulted in sensitive data being stolen from one of its databases. The breach was carried out by the Cl0p ransomware gang, which exploited a zero-day vulnerability in the Oracle E-Business Suite (EBS).

What happened 

According to Bleeping Computer, Barts Health NHS Trust has confirmed a data breach after the Cl0p ransomware gang exploited a zero-day vulnerability in Oracle’s E-Business Suite (CVE-2025-61882). The attackers used the flaw to access one of the trust’s databases and steal a collection of financial and administrative files, including invoices containing patient names, addresses, and payment details. Some of the data also involved former employees who owed money to the trust, as well as accounting files related to services Barts provided to hospitals tied to the NHS Trust.

The breach occurred in August, but Barts only became aware of the compromise when Cl0p published the stolen files on its dark-web leak site in November. The trust noted that core clinical and electronic patient-care systems were not impacted. However, the exposed database held several years’ worth of sensitive records, now accessible to anyone able to retrieve the leaked archives online.

Going deeper

The attack against Barts is part of a wider exploitation campaign tied to the Oracle EBS zero-day CVE-2025-61882, which has been actively used by Cl0p since early August 2025.  Multiple large organizations have already confirmed that they were hit in this campaign, including universities, media companies, and technology firms. 

While Barts insists its core clinical systems, such as electronic patient records, were not affected, the compromise of financial and billing data is nonetheless serious, and illustrates how attackers  target backend accounting or enterprise-resource-management systems, rather than front-facing clinical infrastructure.

What was said

In its public disclosure, Barts Health noted that the theft “occurred in August, but there was no indication that trust data was at risk until November when the files were posted on the dark web.” The Trust also warned that, “to date no information has been published on the general internet, and the risk is limited to those able to access compressed files on the encrypted dark web.”

Furthermore, Barts said it is pursuing a High Court order aiming to block the publication, sharing, or use of the exposed data. 

Barts has also reassured its patients that their data remains intact and secure, stating “Please note our electronic patient record and clinical systems are not affected, and we are confident our core IT infrastructure is secure.”

In the know

Cl0p is a sophisticated ransomware and extortion group linked to the broader threat actor TA505, one of the most active financially motivated cybercriminal groups. While Cl0p originally gained notoriety through traditional ransomware attacks delivered via large-scale phishing campaigns, the gang has shifted toward exploiting zero-day vulnerabilities in widely used file-transfer and enterprise systems. According to CISA advisory AA23-158A, Cl0p was behind the mass exploitation of a MOVEit Transfer zero-day (CVE-2023-34362), using SQL-injection flaws to install a custom web shell called LEMURLOOT on compromised servers. This allowed them to execute commands, steal sensitive data, and launch extortion campaigns without deploying encryption. Prior the MOVEit attack, Cl0p previously exploited zero-day flaws in Accellion FTA and GoAnywhere MFT, indicating a strategic focus on high-impact file-transfer infrastructure. Their operations rely on data theft, double extortion, and the rapid exploitation of newly discovered vulnerabilities. 

Read more: Critical vulnerabilities identified in MOVEit Transfer and MOVEit Cloud

Why it matters

The impact of this breach may go beyond the immediate organization because Barts' database contained information about accounting services rendered to other NHS entities.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQS

What makes Cl0p different from other ransomware groups?

Cl0p increasingly avoids encrypting systems and instead focuses on exploiting zero-day vulnerabilities to steal large volumes of sensitive data. This strategy lets them pressure victims through extortion without disrupting operations, making detection harder and recovery more complex.

How can organizations protect themselves?

CISA recommends prompt patching, monitoring for suspicious network activity, limiting administrative privileges, segmenting networks, and securing internet-facing applications. Regular audits of file-transfer tools and MFA enforcement also significantly reduce risk.

Does paying the ransom stop Cl0p from leaking data?

There is no guarantee. Even when victims pay, ransomware groups may still publish stolen data or retain copies for future extortion attempts. Authorities strongly discourage ransom payments.

Read more: To pay or not to pay: Cyberattack ransoms in healthcare